pfSense

Hi,

My setup¶

• 2 pfSense boxes running in HA setup
• Remote logging enabled
• DHCP servers with failover mode
• Some DHCP interfaces with "Enable Static ARP entries" enabled

Symptoms¶

I've noticed that one or the other pfSense box randomly stop sending logs to our remote syslog server. I had to click on the Save button of status_logs_settings.php to re-enable remote logging.

Conclusion, after investigation¶

The physical address of pfsense boxes were set up in DHCP Static Mappings of interfaces with "Enable Static ARP entries" enabled : this was my mistake and the source of my troubles. When I applied some configuration changes, these two relevant lines appeared in local system log (IP and mac have been changed) :

Apr 15 10:45:46     php-fpm     80873     /xmlrpc.php: The command '/usr/sbin/arp -s '192.168.0.248' 'ab:cd:ef:01:23:45'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted'
Apr 15 10:45:46     syslogd         sendto: Invalid argument

I understood that the os refused to set up static arp mapping for its own interfaces, and removing the pfSense static mappings solved my problem. However, I think that a configuration error shouldn't crash a critical daemon like syslog.